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Worked as dev-team member on many of the early 
jailbreaks until around iOS 4. 

Author of five iOS-related O'Reilly books including 
"Hacking and Securing iOS Applications" 

Designed all of the iOS forensics techniques used in law 
enforcement and commercial products today 

Consulted closely with federal and local law enforcement 
agencies and US military on high profile projects and 
criminal cases 

Trained law enforcement worldwide in iOS forensics and 
penetration arts 



Subject of interest among forensics, law 
enforcement, and criminal communities 

As leaked by Der Spiegel, iOS was targeted by NSA 
for targeted collection 

Later found more evidence of C&C capabilities in 
DROPOUTJEEP leaks via close access methods 

Attacked for everything from cases of national 
security to nude photos of marginally attractive 
celebrities 

A number of forensic techniques exist to acquire data 



Overview of a number of undocumented high-value 
forensic services running on every iOS device 

o How they've evolved 

o What kind of data they provide 

Examples of forensic artifacts acquired that should 
never come off the device without user consent 

Surveillance mechanisms to bypass personal security 
(intended for enterprises), but make potential targets 

Suspicious design omissions in iOS that make 
collection easier 



What This Talk Is NOT 




• A talk about fun Odays and how we can have a httle 
temporary fun with them for a few days. 

o The content discussed here has been around for many years, 
and are low level operating system components 

o Apple is well aware of these components, and has clearly been 
updating them and supporting them for reasons unknown 

o I have emailed both Tim Cook and Steve Jobs at various times 
to ask for an explanation about these services, citing them as 
"back doors", and have received no reply 

o I ^have^ received replies from Tim Cook about Apple's 
crummy warranty service, so I know he gets my email 




Apple has worked hard to make iOS devices 
reasonably secure against t5^ical attackers 

Apple has worked hard to ensure that Apple can 
access data on end-user devices on behalf of law 
enforcement 

To their credit, iPhone 5^ + iOS 7 is more secure 
from everybody except Apple (and .gov) 

Apple's Law Enforcement Process Guidelines: 

o https:/ /www.apple.com/legal/more-resources/law- 
enforcement/ 



Requires a warrant for actual content from iCloud, iTunes, or 
from the device itself 

A subpoena appears good enough for "metadata" 

Recent changes will notify all customers unless a 
confidentiality order is included; so most agencies are now 
getting confidentiality orders with every warrant. 

When provided with the physical device, Apple will retrieve 
and return NSProtectionNone data from passcode locked 
devices; rumors of a PIN brute forcer are floating around, but 
I'm told this practice stopped around iOS 5. 

Process is now taking about four months on average, and costs 
about $1,000, so LE is looking for streamlined / inexpensive 
tools to collect evidence. 



Extracting Data from Passcode Locked iOS Devices 

Upon receipt of a valid search warrant, Apple can extract 
certain categories of active data from passcode locked 
iOS devices. Specifically, the user generated active files on 

an iOS device that are contained in Apple's native apps and for 
which the data is not encrypted using the passcode ("user 
generated active files"), can be extracted and provided to law 
enforcement on external media. Apple can perform this data 
extraction process on iOS devices running iOS 4 or more recent 
versions of iOS. Please note the only categories of user generated 
active files that can be provided to law enforcement, pursuant to 
a valid search warrant, are: SMS, photos, videos, contacts, 
audio recording, and call history. Apple cannot provide: 
email, calendar entries, or any third-party App data. 



iOS 4 Storage Encryption Overview 
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Encryption in iOS 7: Not Much Changed 



• Almost all native application / OS data is encrypted with a key 
not married to the passcode, but rather encrypted with a 
hardware deduced key (NSProtectionNone) 

• As of iOS 7, third party documents are encrypted, but 
Library and Caches folders are usually not 

• Once the device is first unlocked after reboot, most of the 
data-protection encrypted data can be accessed until the 
device is shut down 

o Screen Lock ! = Encrypted 

• The undocumented services running on every iOS device help 
make this possible 

• Your device is almost always at risk of spilling all data, since 
it's almost always authenticated, even while locked. 





Latest commercial forensics tools perform deep 
extraction using these services 

Tablet forensics in the field can acquire a device at a 
routine traffic stop, or during arrest - before device 
can be shut down (leaving encr)^tion unlocked) 

Federal agencies have always been interested in 
black bag techniques (compromised docking 
stations, alarm clocks, etc). 

Snowden Docs: Computer infiltration was used 



Accessed through lockdowndy requiring pairing 
authentication. (Explain Pairing) 

MACTANS talk demonstrated how easy Juice 
Jacking can be to establish pairing 

o iOS 7 trust dialog helps, but third party accessories are making 
people stupid again ... and people are naturally stupid too 

Law enforcement agencies moving to tablet devices 
for pairing and acquisition in the field; USB thumb 
drive to scan computers for pairing records 

Der Spiegel outlined black bag techniques to access a 
target's computer, where pairing records live 



"The documents state that it is possible for the NSA 
to tap most sensitive data held on these smart 
phones, including contact lists, SMS traffic, 
notes and location information about where a 
user has been. In the internal documents, experts 
boast about successful access to iPhone data in 
instances where the NSA is able to infiltrate the 
computer a person uses to sync their iPhone. 
Mini-programs, so-called "scripts," then enable 
additional access to at least 38 iPhone features." 



Bypasses "Backup Encryption" mechanism provided 
to users 

Can be accessed both via USB and wirelessly (WiFi, 
maybe cellular); networks can be scanned for a 
specific target 

If device has not been rebooted since user last 
entered PIN, can access all data encr5^ted with 
data-protection (third party app data, etc) 

Other (more legitimate) services enable software 
installation, APN installation (adding proxy servers) 
for continued monitoring 



Most services are not referenced by any known Apple 
software (we've looked) 

The raw format of the data makes it impossible to 
put data back onto the phone, making useless for 
Genius Bar or carrier tech purposes (cpio.gz, etc) 

The personal nature of the data makes it very 
unlikely as a debugging mechanism 

Bypassing backup encryption is deceptive 

Services are available without developer mode, 
eliminating their purpose as developer tools 



DROPOUT JEEP 




• DROPOUT JEEP describes techniques, most of which are possible with Apple's 
undocumented services 

• SMS messaging suggests either jailbreak or baseband code 



DROPOUT JEEP 

(TS//SI//REL) DROPOUT JEEP is a STRAITBIZARRE based software implant for the 
Apple iPhone operating system and uses the CHIMNEYPOOL framework. 
DROPOUT JEEP is compliant with the FREEFLOW project, therefore it is supported in 
the TURBULENCE architecture. 

(TS//SI//REL) DROPOUT JEEP is a software implant for the Apple iPhone that utihzes 
modular mission applications to provide specific SIGINT functionality. This 
functionality includes the ability to remotely push/pull files from the device, 
SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera 
capture, cell tower location, etc. Command, control, and data exfiltration can occur 
over SMS messaging or a GPRS data connection. All communications with the 
implant will be covert and encrypted. 

(TS//SI//REL) The initial release of DROPOUT JEEP will focus on installing the 
implant via close access methods. A remote installation capability will be pursued 
for a future release. 




Connect to lockdownd (tcp: 62078) via usbmux or TCP 

Authenticate with intercepted / generated pairing record 

Invoke "StartService" command with name of the service 
we wish to start 

Profit^ 



• ^ A number of commercial law enforcement forensic 
manufacturers have started tapping these services: 

o Cellebrite 

o AccessData (Mobile Phone Examiner) 
o Elcomsoft 




Nearly all lockdownd protocols have been 
documented in the libimobiledevice project 
(libimobiledevice.org). 

Been around since 2009 but many of these services 
haven't been re-examined since then; initially benign 

A number of private tools and source are out there as 
well to take advantage of these services 



» Immediately starts libpcap on the device 

> Dumps network traffic and HTTP request/response data 
traveling into and out of the device 

» Does not require developer mode; is active on every iOS 
device 

^ Can be targeted via WiFi for remote monitoring 

> No visual indication to the user that the packet sniffer is 
running. 

WHY DO WE NEED A PACKET SNIFFER RUNNING ON 
600 MILLION PERSONAL IOS DEVICES? 
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Example from iOS 7.1.2 

Developer Mode NOT turned on 

Packet sniffing now available on 600 million 
iOS devices © 



Biggest forensic trove of intelligence on the device 

Found in /usr/libexec/mobile_file_relay on device 

Provides p/iyszca/ artifacts vs. logical (databases; deleted 
records can be recovered) 

Transmits large swaths of raw file data in a compressed 
cpio archive, based on the data source requested. 

Completely bypasses Apple's backup encryption for 

end-user security. 

Once thought benign, has evolved considerably, even in 
iOS 7, to expose much personal data. 

Very intentionally placed and intended to dump data 
from the device by request 



com.apple.mobile.file_relay 



• File Relay sources in iOS v2: 

AppleSupport 

Network 
WiFi 

UserDatabases 
CrashReporter 
SystemConfiguration 





com.apple.mob] 




• File Relay sources 

Accounts 

AddressBook 

AppleSupport 

AppleTV 

Baseband 

Bluetooth 

CrashReporter 

CLTM 

Caches 

CoreLocation 

DataAccess 

DataMigrator 

demod 

Device-o-Matic 



in iOS 7: 

EmbeddedSocial 

FindMyiPhone 

GameKitLogs 

itunesstored 

lORegUSBDevice 

HFSMeta 

Keyboard 

Lockdown 

MapsLogs 

MobileAsset 

MobileBackup 

MobileCal 

MobileDelete 

Mobilelnstallation 



.file_relay 



MobileMusicPlayer 

MobileNotes 

NANDDebuglnfo 

Network 

Photos 

SafeHarbor 

SystemConfiguration 

trap 

Ubiquity 
UserDatabases 
VARFS 
VPN 

Voicemail 
WiFi 

WirelessAutomation 



Accounts A list of email, Twitter, iCloud, Facebook 
etc. accounts configured on the device. 

AddressBook A copy of the user's address book 
SQLite database; deleted records recoverable. 

Caches The user cache folder: suspend screenshots 
(last thing you were looking at), shared images, 
offline content, clipboard/pasteboard, map tile 
images, keyboard typing cache, other personal data 



CoreLocation GPS logs; cache of locations taken at 
frequent intervals (com. apple. routined) 

c fileslockCache_encryptedA.db and cache_encryptedA.db 
o Similar to the old consolidated.db database from iOS 4 
o Timestamps span -^60 days on my phone 



com.apple.mobile.file_relay 




• HFSMeta (New in iOS 7!) A complete metadata disk 
sparseimage of the iOS file system, sans actual content. 

o Timestamps, filenames, sizes, creation dates of all files 
o When device was last activated / wiped 

o All applications installed on a device and filenames of all documents 
(e.g. Dropbox documents, etc) 

o The filenames of all email attachments on the device 

o All email accounts configured on a device 

o Host IDs and timestamps of all devices paired with the device 

o Phone numbers and timestamps of everyone for whom an SMS draft 
was saved 

o Timeline of activity based on timestamp data 




Keyboard A copy of the keyboard autocorrect cache 

o DynamicDictionary-4: First half contains all recent typed 
content from all applications, consolidated and in the order it 
was typed 

o DynamicDictionary-5: Improved, contains words and word 
counts only 

MobileCal, MobileNotes Complete database images 
of the user's calendar, alarms, and notes databases in 
SQLite format (deleted records recoverable). 

Photos Complete dump of user's photo album (not 
just camera roll) stored on the device 



UserPatabases (Been around since v2) dump of 
address book, calendar, call history, SMS database, 
email metadata (envelope index); SQLite databases 
(deleted records recoverable) 

VARFS (predecessor to HFSMeta) virtual file system 
metadata dump in statvfs format. 

Voicemail Copy of user's voicemail database and 
audio files (AMR format) 



Originally used to allow iTunes to copy documents 
to/from third party applications 

Even though iTunes doesn't permit it through GUI, 
the service allows access to the Library, Caches, 
Cookies, Preferences folders as well 

These folders provide highly sensitive account 
storage, social/Facebook caches, photos and other 
data stored in "vaults", and much more. 



Recent photos from my stream 
Most recent timeline 

Private message database; numerous deleted 
messages recovered 

Screenshots of my last use of Twitter 

OAuth tokens (when combined with consumer key/ 
secret, can be used to spy on all future 
correspondence remotely) 



Copies of the actual photos the vaults are 
"protecting" 

Configuration files including the PIN, or a hash of 
the PIN 

Occasionally, developer will actually encrypt files 
Sometimes encryption keys or PIN dumped to syslog 



Theories 




Maybe iTunes or Xcode use them? No. 

o iTunes uses com.apple.mobilesync, backup2, and other 
facilities, but none use file relay or pcap 

o iTunes uses house_arrest, but only for accessing Documents; 
there's no need to allow access to Library, Cache, or other 
privileged folders 

o iTunes respects backup encryption 




Maybe for Genius Bar or Apple Support? No. 

o Data is in too raw a format to be used for tech support 

o Can't be put back onto the phone in any way 

o Tech support use shouldn't call for bypassing backup password 

o Data is far too personal in nature for mere tech support 





Maybe for Developers for Debugging? No. 

o Actual developer tools live on the developer image, and are 
only available when Developer Mode is enabled 

o Xcode does not provide a packet sniffing interface for 
developers 

o Developers don't need to bypass backup encryption 
o Developers don't need access to such sensitive content 
o Apple wants developers to use the SDK APIs to get data 
o There are no docs to tell developers about these "features" 
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Theories 




• Maybe for Engineering / Debugging? No. 

o Not all 600 million devices need debugging always on 

o By preventing localhost connections, Apple must know these 
services are being abused by malware 

o You still wouldn't need to bypass backup encryption 

o Engineering wouldn't need access to such personal data 




Theories 




• Maybe old debug code they forgot was in there? No. 

o Apple has been maintaining and enhancing this code, even 
with iOS 7; they know it's there 

o Have emailed Apple's CEOs and gotten no response 

o It's not buried; it's listed in Services.plist 

o While house_arrest security issues might be "bugs", file relay 




while more benign, the following services are good 
attack targets for forensic artifacts: 

com.apple.iosdiagnostics.relay Provides detailed network 
usage per-application on a per-day basis 

com.apple.mobile.installation proxy Given an enterprise 
certificate, can use this to load custom software onto the 
device (which can run invisibly and in the background) 

com.apple.syslog relay : Syslog, provides a lot of details 
about what the device is doing, and often leaks user 
credentials from 3^^ party apps via NSLogO 



Installing invisible software that backgrounds is still easy 
to do in iOS 7 

Apple made a crucial security improvement in iOS 7: 
prevented socket connections to localhost / local IP 

o Prior to this, I had spyware running invisibly that could dump a 
phone and send its contents remotely anywhere, (never released for 
obvious reasons) 

This stopped a number of privately used spyware apps in 
their tracks; they can not connect to localhost: 62078 

Future spyware: phones attacking other phones on the 
network (zomg zombies) 



Invisible Malware 




• Info.plist: 

<key > SBAppTags < /key > 
< array > 

< string > hidden < /string> 

< / array > 



<key>UIBackgroundModes</key> 
< array > 

<string>voip< /string> 
< /array > 



Backgrounding Malware 




[ [ UIApplication sharedApplication ] 
setKeepAliveTimeout : 600 handler : ^ (void) 

{ 



/* Do bad things in background */ 

} 



In iOS 7, you can still capture: 

• All socket connections (netstat data) 

• Process information (ps data) 

• A number of personal files on the device 

• Launch some very closely-held-to-the-vest userland exploits 




But Wait. I paid $600 for a Fingerprint Reader 



• Fingerprint reader: Doesn't add any additional 
encryption beyond basic PIN 

• Has shown to be spoofed with the right equipment 

• Allows GUI access, therefore allowing pairing, 
therefore allowing forensic dumps 

• Oh, and... there's a bypass switch for pairing a^nyway 





Added for supervised devices to be accessible (e.g. 
employee dies, leaves on bad terms, criminal 
investigation). 

Devices try to call home when first configured to 
download automatic configurator profile, (likely used for 
large-scale MDM rollouts). 

An electronic alternative to interdiction could be 
deployed by spoofing Apple's certificates and 
configuring / pairing the device out of the box. 

OR by penetrating a targeted organization, supervisor 
records can be used to pair with and access any device 
they're supervising. 



Deny all pairing 

Allow pairing, but prompt the user 

Allow pairing with no user prompt (and while 
locked) 

Allow pairing with a challenge/response 



Pairing Bypass 




; Check -[ MCProf ileConnection hostMayPairWithOptions : challenge : ] 



text 


0001938E 




LDR.W 


RO, 


[R8, #OxC] 


text 


00019392 




BL 


sub 


5754 


text 


00019396 




CMP 


RO/ 


lo 


text 


00019398 




BNE.W 


loc 


19AA8 


text 


0001939C 




LDR.W 


Rl, 


[R8, #OxlC] 


text 


000193A0 




ADD 


R2, 


SP, #0x7E8+var 420 


text 


000193A2 




ADD 


R3, 


SP, #0x7E8+out 


text 


000193A4 




MOV 


RO, 


R4 


text 


000193A6 




BL 


sub 


IFIOO 






Pairing is 


explicitly 


forbidden by 


MC 


text 


000193AA 




CMP 


RO, 


#0 


text 


000193AC 




BEQ.W 


loc 


19 ABO 






Pairing is 


allowed by 


MC, but with 


challenge /response 


text 


000193B0 




LDRB.W 


RO, 


[SP, #0x7E8+out] 


text 


000193B4 




CMP 


RO, 


#0 


text 


000193B6 




BNE.W 


loc 


19 AC 2 



_text: 000193BA 
_text: 000193BE 
text : 000193C0 



Pairing is allowed by MC while locked / untrusted without 
any challenge/response (pairing security is bypassed) 



LDRB.W 

CMP 

BNE.W 



RO, [SP, #0x7E8+var_420] 
RO, #0 
loc 19B06 



<- Profit 



Pairing is a 1 1 nwp.d whils locked / untrusted if the device 
doesn't support it 



text: 000193C4 
_text : 000193CC 
_text : 000193CE 
_text : 000193D2 

text : 000193D4 



MOV 
ADD 
BLX 
CMP 
BNE.W 



RO, # (cfstr_Hasspringboa_l - Oxl93DO) 
RO, PC ; "HasSpringBoard" 
_MGGetBoolAnswer 
RO, #1 
loc 19B06 



"HasSpringBoard" 



Actual pairing security routines (check device lock, whether 
user has pressed "Trust", and so on) 



_text : 000193D8 
text : 000193DA 



MOVS 
BLX 



RO, #0 

MKBGetDeviceLockState 



if (mc_allows_pairing_while_locked 1 1 device_has_no_springboard_gui) 

{ 

goto skip_device_lock_and_trust_checks; Skip security ^/ 

} 

Pairing Security ^/ 

if (device_is_locked == true) { 
if (setup_has_completed) { 

if (user_never_pushed_trust) { 
error(PasswordProtected) ; 

} 

} 

} 



On setup, teslad connects to 
https://iprofiles.apple.com 

o /resource/certificate.cer 
o /session and /profile 

o Capable of downloading MCCloudConfiguration 

Could be used for electronic interdiction, either with 
technology or secret FISA order 

MCCloudConfiguration affects pairing bypass 

Build in mechanism to bypass SSL validation. WTF. 

o MCTeslaConfigurationFetcher checks for 
MCCloudConfigAcceptAnyHTTPSCertificate 



Once configured, a new cloud configuration can be 
downloaded via periodic check-in 

- [MCProfileConnection retrieveCloudConfiguration 
FromURLiusername: password lanchorCertificates: 
completionBlock:] 

o Great attack surface if you can get past the SSL 
o Not necessary if you have a secret FISA order 



why is there a packet sniffer running on 600 miUion 
personal iOS devices instead of moved to the developer 
mount? 

Why are there undocumented services that bypass user 
backup encryption that dump mass amounts of personal 
data from the phone? 

Why is most of my user data still not encrypted with the 
PIN or passphrase, enabling the invasion of my personal 
privacy by YOU? 

Why is there still no mechanism to review the devices my 
iPhone is paired with, so I can delete ones that don't 
belong? 



Pairing Locking 




check -[ MCProf ileConnection hostMayPairWithOptions : challenge : ] 



text 


0001938E 




LDR.W 


RO, 


[R8, #OxC] 


text 


00019392 




BL 


sub 


5754 


text 


00019396 




CMP 


RO/ 


"#0 


text 


00019398 




BNE.W 


loc 


19AA8 


text 


0001939C 




LDR.W 


Rl, 


[R8, #OxlC] 


text 


000193A0 




ADD 


R2, 


SP, #0x7E8+var 420 


text 


000193A2 




ADD 


R3, 


SP, #0x7E8+out 


text 


000193A4 




MOV 


RO, 


R4 


text 


000193A6 




BL 


sub 


IFIOO 






Pairing is 


explicitly 


forbidden by 


MC 


text 


000193AA 




CMP 


RO, 


#0 <- H( 


text 


000193AC 




BEQ.W 


loc 


_19AB0 






Pairing is 


allowed by 


MC, but with 


challenge /response 


text 


000193B0 




LDRB.W 


RO, 


[SP, #0x7E8+out] 


text 


000193B4 




CMP 


RO, 


#0 


text 


000193B6 




BNE.W 


loc 


19 AC 2 



WE MAKE THIS WORK? 



; Pairing is allowed by MC while locked / untrusted without 

; any challenge/response (pairing security is bypassed) 

_text : 000193BA LDRB.W RO , [ SP, #0x7E8+var_42 0 ] 

_text: 000193BE CMP RO , #0 

text : 000193C0 BNE.W loc 19B06 



Pairing is a 1 1 nwp.d whils locked / untrusted if the device 
doesn't support it 



text: 000193C4 
_text : 000193CC 
_text : 000193CE 
_text : 000193D2 

text : 000193D4 



MOV 
ADD 
BLX 
CMP 
BNE.W 



RO, # (cfstr_Hasspringboa_l - Oxl93DO) 
RO, PC ; "HasSpringBoard" 
_MGGetBoolAnswer 
RO, #1 
loc 19B06 



"HasSpringBoard" 



I 



_text : 000193D8 
text : 000193DA 



Actual pairing security routines (check device lock, whether 
user has pressed "Trust", and so on) 



MOVS 
BLX 



RO, #0 

MKBGetDeviceLockState 



Free in the Mac App Store 

Allows you to set enterprise MDM restrictions on your 
device 

Can be used to prevent pairing even when unlocked 

Pair once with your desktop, then never again... OR (if 
you're paranoid) delete all pairing records and prevent 
any comms. 

Won't help you if device sent to Apple; should still use a 
complex passphrase 

Removable later if you change your mind 



Forensics Tools 




Every commercial forensics tool, after pair 
locking with Configurator: 




[SOBBING MATHEMATICALLY] 



when a supervised device is refreshed: 
G Remove apps and profiles Configurator did not install 



Name: {Supervised Device 



□ Number sequentially starting at 1 



Supervision: 



ON 



Options... 



1 Allow devices to connect to other Macs 



Update iOS: I When update is available 



1^ Erase before installing 



Pair Locking with Configurator 




Profiles: Pairing Profile 



fin + - ES 



Pair Locking with Configurator 




* Restrictions 
1 Payload Configured 



Global HTTP Proxy 

Not configured 

Web Content Filter 

Not configured 

Wi-Fi 

*^ Not configured 





O Force limited ad tracking 

@f Allow users to accept untrusted TLS certificates 
Allow automatic updates to certificate trust settings 
Allow installing configuration profiles (supervised only) 
|Vf Allow modifying account settings (supervised only) 
iVf Allow modifying Find my Friends settings (supervised only) 
iVT Allow pairing with non -Configurator hosts (supervised only) 
Allow documents from managed apps in unmanaged apps 
Allow documents from unmanaged apps in managed apps 



Pair Locking with Configurator 




RESTRICTION 




Restrictions 

Disables pairing with ITunes. 



Asymmetric cryptography to allow encryption of 
incoming SMS, Photos, etc. without requiring decryption 

File system equivalent of "session keys" for memory 
resident processes (CommCenter) to uniquely decrypt 
shadow copy of certain data (AddressBook) 

Add boot password to encapsulate existing FS 
encryption; makes stronger / complex passwords less 
inconvenient 

When pairing, encrypt all keys and EscrowBag sent from 
phone using backup password, so can't be used without 
something you know. 



Apple is dishing out a lot of data behind our backs 

It's a violation of the customer's trust and privacy to 
bypass backup encryption 

There is no valid excuse to leak personal data or allow 
packet sniffing without the user s knowledge and 
permission. 

Much of this data simply should never come off the 
phone, even during a backup. 

Apple has added many conveniences for enterprises that 
maKe tasty attack points for .gov and criminals 

Overall, the otherwise great security of iOS has been 
compromised... by Apple... by design. 



Thank You 




Questions? 



@JZdziarski 



